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© Licence management mechanism for a computer system. 



© A computer system includes a license manager 
for regulating usage of software items. The license 
manager checks the host identity of the computer on 
which it runs and permits usage only if the host 
identity matches an identity value in a license key. 
The host identity of the computer is supplied by a 
security identification device removably coupled to 
an external port on the computer. Communication of 
the host identity between the security identifier de- 
vice and the license manager is protected by en- 
cryption. 



Fig 1 



LINKS TO OTHER COMPUTERS 
-12 



C0MMS 



LICENSE 
MANAGER 



TAB*? ! | 



LOG 



OPERATING SYSTEM 



COMPUTER 



SECURITY 
IDENTIFIER 
DEVICE 



A 



26 



28-/ 



Rank Xerox (UK) Business Services 

(3.10/3.09/3.3.4) 



1 



EP 0 613 073 A1 



2 



Background to the invention 

This invention relates to a license management 
mechanism for a computer system, for controlling 
use of licensed software. 

Software is normally licensed rather than sold 
in order that restrictions on unauthorised use can 
be legally enforced. Various schemes have been 
tried to make the software enforce these restric- 
tions itself, including copy protection, hardware 
keys, etc., but the current trend is to the use of 
license keys that are packets of data which permit 
the software to work only on a particular machine. 

One way in which this has been implemented 
is through the provision of a mechanism referred to 
as a license manager to which the handling of 
these license keys is delegated. By centralising the 
handling of the license keys it is possible to restrict 
the use of software not just to a single machine but 
to a network of machines. This provides additional 
flexibility for the user as well as providing the 
potential for more sophisticated control over the 
use of the software within a user organisation. 

Central to the use of license managers to con- 
trol the use of software in this way is the ability to 
identify which machine the license manager is run- 
ning. If this were not done it would be possible to 
obtain license keys for use on one machine and 
use them on any number of machines. Various 
schemes have been used to achieve this identifica- 
tion, including serial numbers built into the machine 
processor, use of Ethernet DTE addresses, etc. 

The object of the present invention is to pro- 
vide a novel way of identifying the machine on 
which a license manager is running. 

Summary of the invention 

According to the invention there is provided a 
computer system including a license manager for 
regulating usage of software items in accordance 
with license keys issued to the license manager, 
the license manager being arranged to check the 
host identity of the computer on which it runs and 
to permit usage only if the host identity matches an 
identity value in the license keys, characterised in 
that the host identity of the computer is supplied 
by a security identification device removably coup- 
led to an external port on the computer. 

Such identification devices have been used for 
PC software to permit the software to run only on 
machines that have the device attached. These 
devices are usually referred to as dongles. The 
present invention differs from such known use of 
dongles in that in the present case the device is 
used to identify the machine to the license man- 
ager, rather than to authorise a particular item of 
software. 



Brief description of the drawings 

Figure 1 is a block diagram of a computer 
system embodying the invention. 
5 Figure 2 is a flow chart showing the operation 

of a license manager in response to a request to 
use a feature. 

Figure 3 is a flow chart showing a host identity 
checking function performed by the license man- 
70 ager. 

Description of an embodiment of the invention 

One embodiment of the invention will now be 
75 described by way of example with reference to the 
accompanying drawing. 

Referring to Figure 1 , the system comprises a 
number of computers 10, linked together by means 
of communications links 12 to form a data process- 
20 ing network. 

Each of the computers runs an operating sys- 
tem 14 which controls and coordinates the opera- 
tion of the computer, and communications software 
16 which allows the computer to communicate with 
25 the other computers in the system over the links 
12. Each computer also runs a number of applica- 
tions 18 (where an application is any logical soft- 
ware entity). 

At least one of the computers runs a program 
30 referred to herein as the license manager (LM) 20. 
The function of the LM is to regulate the applica- 
tions within a particular domain, so that each ap- 
plication can be used only to the extent permitted 
by licenses granted to the system owner. The 
35 domain comprises those applications that can com- 
municate with the LM. In this example, the domain 
extends over a multi-computer network, but in other 
examples it could consist of a single computer. 
Each application has a number of features as- 
40 sociated with it. A "feature" is defined herein as an 
aspect of an application that is subject to license 
control by the LM. A feature may, for example, 
simply be the invocation of the application by a 
user. However, more complex features may be 
45 defined such as number of users, number of com- 
munication links and database size. 

Each application also has an application key 
associated to it, which is unique to the application. 
As will be described, application keys are used to 
50 ensure security of communication between the ap- 
plications and the LM. 

The LM has a private area of memory in which 
it maintains a license table 22 and a log 24. 

The license table holds a number of license 
55 keys that have been issued for this system. Each 
license key contains the following package of in- 
formation :- 

Machine identifier: the identity of the computer on 



2 



3 



EP 0 613 073 A1 



4 



which the license manager is permitted to run. 
Expiry date: the date until which the license key is 
valid. 

Limit: the number of units of a particular feature 
that are licensed (eg the number of users, number 
of communication links, or database size). 
Application key: the key value of the application to 
which the license key relates. 
Signature: a cryptographic signature which ensures 
that the license key cannot be changed without 
detection. 

Whenever one of the applications requires to 
use a feature, it sends a request message to the 
LM. The request message includes: 

- the identity of the feature required 

- the number of units of the feature required 

- the application key 

- a timestamp value. 

Referring to Figure 2, when the LM receives 
this request message, it checks that the timestamp 
value is current. Assuming the timestamp value is 
current, the LM then checks whether there is a 
license key in the license table for the required 
feature. 

If there is a license key in the table, the LM 
then checks whether the expiry date of the license 
has passed, and checks the signature of the li- 
cense key to ensure that it has not been modified. 
The LM also checks whether the required number 
of units are available for the feature (ie whether the 
number of requested units plus the number of units 
already granted is less than or equal to the limit 
value in the license key). 

If all these checks are satisfactory, the LM 
returns a "license granted" message to the ap- 
plication, sealed under the application key. The LM 
keeps a record of the number of units granted for 
each feature. If, on the other hand, any of the 
checks fails, the LM returns a "license denied" 
message to the application. The LM also writes a 
record in the log 24 to indicate whether a license 
has been granted or denied. 

If the application receives a "license granted" 
message, it proceeds to use the requested features 
as required. If, on the other hand, it receives a 
"license denied" message, it performs one of the 
following actions, as determined by the designer of 
the application: 

- the application may simply shut itself down. 

- in the case where the license was denied 
because there were not enough units of the 
requested feature available, the application 
may display a "call again later" message to 
the user. 

- the application may continue running in a 
reduced service mode eg a demonstration 
mode. 



When an application terminates, it sends a 
"license relinquish" message to the LM. The LM 
will then withdraw any licenses issued to this ap- 
plication, making the units available to other ap- 
5 plications. 

Each application is required to send a revalida- 
tion message periodically to the LM, to re-validate 
its license. For example, a revalidation message 
may be required every 5 minutes. If the application 
10 does not receive any response to this message, it 
assumes that it has lost contact with the LM, and 
shuts down or continues in a reduced service 
mode. 

The LM periodically checks whether it has re- 

75 ceived revalidation messages from all the applica- 
tion to which it has granted licenses. If a revalida- 
tion message has not been received from an ap- 
plication, the LM assumes that the application has 
failed, and therefore withdraws the license, making 

20 the units available to other applications. 

In order to ensure that unauthorised copies of 
the LM cannot be run on other systems, it is 
necessary to provide a way of identifying the ma- 
chine on which the LM runs. This is achieved by 

25 means of a security identification device (SID) 26, 
which stores an identifier unique to this device, 
referred to as the secure host identifier. The SID is 
attached to the computer 10 by way of an external 
port 28. In this example, the port is a standard 

30 parallel printer port, and the SID is designed so 
that a printer may be plugged into the back of the 
SID, so that both the printer and SID share the 
same port. Messages for the SID are identified by 
special commands. 

35 In other embodiments of the invention, the SID 

may be attached to a special dedicated port, or to 
some other type of standard port. The port may be 
serial rather than parallel. 

Referring to Figure 3, in order to check the 

40 host identity, the LM sends a request message to 
the SID at regular intervals, requesting it to supply 
the secure host identifier. 

The SID responds to this by returning a mes- 
sage encrypted under a key known only to the SID 

45 and the LM. 

The message contains: 

- the secure host identifier 

- a sequence number, which is incremented 
each time the SID returns a message. 

so When the LM receives this message, it de- 

crypts it, and checks the sequence number to 
ensure that it is the next expected sequential value. 
This ensures that it is not possible to replace the 
SID by a program which intercepts the requests 

55 from the LM and returns a copy of the SID's 
response, or which passes the request to a SID on 
another system. 
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The LM then checks whether the returned se- nodes, 
cure host identifier matches the machine identifiers 
of the license keys held in the license table 22. 

If the LM does not receive any response to a 
request to the SID, or if the response does not 
contain the correct sequence number, or if the 
secure host identifier does not match the machine 
identifiers in the license keys, the LM closes down. 
This means that the LM will not issue any more 
licenses to applications. Also, because the LM will 
not now respond to the revalidation message from 
the application, any outstanding licenses are effec- 
tively cancelled. 

In summary, it can be seen that the LM will 
issue licenses, permitting applications to operate, 
only if a security identification device SID is con- 
nected to the computer, and if the machine identifi- 
ers in the individual license keys issued to the LM 
match the secure host identifier held in the SID. 

It should be noted that the LM can grant li- 
censes to applications running in any of the com- 
puters 10 in the network, not just to applications 
running in the same computer as the LM. The 
number of licenses that may be granted is re- 
stricted by the limit in the license keys. Thus, for 
example, if a license key sets a limit on the num- 
ber of users, then the total number of users of a 
particular application in the network cannot exceed 
this limit. 

The use of the device for the provision of the 
rttifi^Pit'l^^rlSr 
important advantages: 

- if the machine to which the device is attached 
fails, the device can be transferred to another 
machine (new keys are not required) 35 

- the supplier of the device can retain title to 
the device, so in the event of the machine 
being sold the device has to be returned to 
the supplier. Hence all software on the ma- 
chine that would only work with a license 40 
manager will no longer function as required 
by the terms of supply of the software which 
is licensed to a legal entity not to a machine. 

- if the user of the software wishes to change 
the license he has to reduce its capability, 45 
the device can be replaced and new keys 
issued. Current schemes do not provide for 
the secure revocation of the keys. 

- the device can be used to provide secure 
identification on standard hardware platforms 50 
which do not inherently provide such a fa- 
cility, and hence can enable the use of li- 
cense management on such hardware. 

It should be noted that although the embodi- 
ment of the invention described above is a multi- 55 
computer system, the invention is equally applica- 
ble to single processor systems, or to multi-nodal 
systems, comprising a plurality of multi-processor 
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A computer system including a license man- 
ager for regulating usage of software items in 
accordance with license keys issued to the 
license manager, the license manager being 
arranged to check the host identity of the com- 
puter on which it runs and to permit usage 
only if the host identity matches an identity 
value in the license keys, characterised in that 
the host identity of the computer is supplied 
by a security identification device removably 
coupled to an external port on the computer. 

A system according to Claim 1 wherein com- 
munication of the host identity between the 
security identifier device and the license man- 
ager is protected by encryption. 

A system according to Claim 2 wherein each 
host identity returned by the security identifier 
device is encrypted together with a sequence 
number which is incremented each time the 
host identity is returned. 

A system according to any preceding claim 
wherein the license manager regulates the us- 
age of software items within a domain compris- 
■irn^Wsgfi^^ 
the license manager. 

A system according to Claim 4 wherein said 
domain is distributed over a network of com- 
puters. 
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